PayPal is now offering a free URL redirection service

Written by DP

Sunday, 4 November 2007

Nemessis has discovered a new XSS/URL redirect vulnerability on You can simply choose your preferable landing URL. This service is revolutionary as there is no need to register on the site. Anyone can use it for free. Phishers can use a bulk e-mailer and include their fake PayPal URL. No all internet users are aware about phishing attacks. It will be pretty easy to be convinced that this is a genuine e-mail from PayPal requesting a verification of your account details. You also feel extra secure knowing that the session is encrypted with  128-bit SSL.

The same parameter (landing_url=) is also vulnerable to cross-site scripting.

Mirror of the PayPal URL redirect vulnerability:

PayPal XSS mirror:

I am expecting to see this vulnerability fixed later today.

Thank you Nemessis for bringing up the issue! ;)

Related News: - 29 April 2007

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.